CVE-2025-1643

MediumPublic PoC

Published: 25 February 2025

Published

25 February 2025

Modified

28 February 2025

KEV Added

—

Patch

—

CVSS Score 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS Score 0.0010 27.2th percentile

Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1643 is a medium-severity CSRF (CWE-352) vulnerability in Modernasistemas Modernanet. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

SC-23 requires mechanisms to protect communications session authenticity, such as anti-CSRF tokens, directly preventing forged requests in this CSRF vulnerability.

SI-10 Information Input Validation partial match

prevent

SI-10 mandates information input validation, including verification of CSRF tokens or request origins to block unauthorized forged requests to the vulnerable endpoint.

AC-3 Access Enforcement partial match

prevent

AC-3 enforces approved authorizations for access, addressing the missing authorization (CWE-862) aspect that allows CSRF-induced unauthorized modifications.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1098 Account Manipulation Persistence

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

attack.mitre.org →

Why these techniques?

CSRF vulnerability in public-facing web application password change endpoint (SG_AlterarSenha) enables exploitation of public-facing application (T1190) and unauthorized account manipulation via forced password change leading to account takeover (T1098).

NVD Description

A vulnerability was found in Benner ModernaNet up to 1.1.0. It has been rated as problematic. This issue affects some unknown processing of the file /DadosPessoais/SG_AlterarSenha. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. Upgrading…

to version 1.1.1 is able to address this issue. It is recommended to upgrade the affected component.

Deeper analysisAI

CVE-2025-1643 is a cross-site request forgery (CSRF) vulnerability, rated as problematic, in Benner ModernaNet versions up to 1.1.0. The issue affects the processing of the /DadosPessoais/SG_AlterarSenha endpoint, associated with CWE-352 (Cross-Site Request Forgery) and CWE-862 (Missing Authorization). It carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating network accessibility with low complexity but requiring user interaction.

Remote attackers without privileges can exploit this vulnerability by tricking authenticated users into performing unintended actions via forged requests to the vulnerable endpoint. Successful exploitation results in low-impact integrity violations, such as unauthorized modifications, with no confidentiality or availability effects.

Advisories recommend upgrading to Benner ModernaNet version 1.1.1 to address the issue. Relevant references include VulDB entries at https://vuldb.com/?ctiid.296693, https://vuldb.com/?id.296693, and https://vuldb.com/?submit.500574, as well as a CVE tracking repository at https://github.com/yago3008/cves.

Details

CWE(s): CWE-352 CWE-862

Affected Products

modernasistemas

modernanet

≤ 1.1.1

CVEs Like This One

CVE-2025-1642Same product: Modernasistemas Modernanet

CVE-2025-1641Same product: Modernasistemas Modernanet

CVE-2025-1640Same product: Modernasistemas Modernanet

CVE-2024-55076Shared CWE-352

CVE-2026-24885Shared CWE-352

CVE-2025-1687Shared CWE-352

CVE-2026-1169Shared CWE-352, CWE-862

CVE-2025-1891Shared CWE-352, CWE-862

CVE-2026-40581Shared CWE-352, CWE-862

CVE-2026-3770Shared CWE-352, CWE-862

References

https://github.com/yago3008/cves
Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.296693
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.296693
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.500574
Exploit, Third Party Advisory, VDB Entry · cna@vuldb.com